UnHacked

Welcome everybody to episode 32 of UnHacked. I found myself having to check my notes real quick. Oh, my gee. We did 31 last week. It actually just dropped this morning, and, I don't know if you guys have gone back and listened to it, but if I do say my so myself, it was, with some good stuff.

So here we are in week 2 of our mini series on what is the formula to protect your data. And today's kind of a a big one. Last week, we talked about protecting your technology. And now, as we as we dive into data, you guys remember the days when data lived on a server and we had a tape backup and we were done. Right?

Like, check, fucking check. It's over.

Good old days.

You know, as I sat here trying to write the outline for today's episode, I'm like, Jesus Christ, this isn't math, because I've got data living in, and I don't wanna wrap myself out too much so that somebody can hack me, but my online financing program, my online slash cloud based CRM, I've got SharePoint. I've got OneDrive. I've got files on my my local drive, that has to be there, by the way, because usually we try to keep our data on the server or on the cloud or whatever. But I've got stuff that has to live on my hard drive for video and audio editing. It's everywhere.

So, it was a little bit tricky trying to figure out how to put together this outline without making it just terribly boring for all of us. And here's what we've decided to do is we're just gonna do kind of a 3 ball. We're all just gonna, throw out different scenarios, different thoughts on how you know where your data lives and how it's being protected. Before we go there, let's go ahead and do some quick introductions. I am Justin Shelley, CEO of Phoenix IT Advisors, and I am frazzled as shit today.

I have to tell myself in, when I should have been preparing for today's podcast, I spent 4 hours looking for my car keys. I have never in my life lost something so effectively. I was really proud of myself. Anyway, I'm sitting in my Dallas office today. No.

You can't really see, honey, the the nice high rise of the beautiful Dallas, Texas. I love this place. But it's not my normal recording studio, so it adds to my out of sorts nature. That's my introduction. We're gonna go, Brian, Varendra, and Mario, tell us who you are, what you do, and who you do it for.

Brian, go.

Excellent. Brian Lachepore with b four Networks based out of Niagara Region in Ontario, Canada. And we help business owners, in various industries, but, we we just help them make their their headaches that they come with dealing with technology go away.

Alright. Bahrinder. Right. Bahrinder Haas, CEO of Red Rhino. We are based just outside of Vancouver, BC, also fellow Canadian.

And similar to Brian, we're an MSP, and, and we really focus on that client IT partnership and really help their business, excel.

Okay. Mario?

Mario Zaki, CEO of MasTec. I mean, everybody out there should already know who I am. You know, kind of a big deal. But but, in case you don't know, we are an IT MSP in the New Jersey area right outside Manhattan. And, we have been business for about 20 years servicing construction, engineering, architect, and whoever else wants our services and has got money.

He's got money. I am

Mario Mario, I honestly can't recognize you if you're not in your Super Mario gear. This this version is is really not the big deal version.

It's not it's I'm I'm trying to downplay it a little bit. You know? Are you not? I'm trying to stay humble. I

hope you know. I'm kind of a big deal. Wasn't that Anchorman?

Yeah.

Oh, god. Okay. Listen. I've I've said this before, and I'll say again. These, you know, I I love being able to do this with you guys every week to record these podcasts.

Not only do I feel like there is value in this to the community, but I'm just straight up selfish here. I get to sit with some of the brightest minds in the industry week after week and talk about some of the most complex problems that we deal with in business, and I am better and smarter for it. So thank you guys for being here. Genuinely appreciate it.

Thank you.

With that, we are about to hopefully not bore business owners to tears as we talk about your data, where it lives, how you identify it, how you keep it safe, protected, your eyes only, backed up, test restored. I mean, this is like I said, this is just that's a broad topic that I didn't really even know how to build the, the outline. But as we sat here and talked about it, you guys started, like, spewing all the brilliance that I wanted to outline anyways. I'm like, stop. Cut.

Let's go. So let's try to jump back into that, that setting. And, you know, we started we talked about there's there's websites not only and and, Brian, you jumped in. I put your name on this one. So tell us a little bit about because this is often overlooked.

When we talk about data that needs to be backed up, what do we have to do with our websites?

Well, yes. What you you mentioned is often overlooked and that's it's so true not only from from a data backup perspective but even just from a cyber security perspective in general. A lot of business owners outsource their website to a 3rd party and, to to design it and then they they have this wonderful website whether it's interactive or whether it's static. They put it up on the web and then they essentially forget about it. They they upload it to their own, you know, their their own cloud web server for, providing it to the to the public and, the web developer often falls in the background.

They're no longer involved because somebody else is either hosting it and then something, you know, maybe a year or so down the the road, the the website either gets corrupted and or, data loss and then they don't have access to their website anymore. They have to start from scratch because the developer was like, oh, we didn't keep a record of that. You didn't have a record of it and so there's nobody having there's no backup of your website. So if you have a static website, definitely back it up when you first originally put it up. But, if it is a website that is dynamic and changes on a regular basis, then you should have an ongoing backup of your website set up.

And if you have code in your website, meaning, you know, maybe you're using WordPress or using modules that come with WordPress, then you also I know we're not talking about cybersecurity specifically, but we also have to make sure we update that website on a regular basis to make sure nothing gets compromised down the road. So back up and, and keep it up to date.

This this is a subject that became kind of eye opening for me because we had clients that would, I didn't know it, by the way. They would put in tickets that, hey. Can you help me tweak this website? And it was some custom design, custom coded in a language I didn't know, by developers that are, like, long gone. And and god bless them.

My techs are like, yeah. I mean, I'll try. And they get in there and they tinker with that code. Does anybody here write code either for fun or for okay. Have you ever?

Nobody?

Yeah. Yeah. Okay. I haven't.

A lot a a long time ago. That was yeah. Oh, it's almost we

we have teams, like, a couple of my team members that do as well.

Okay. Yeah. Yeah. So just just HTML, the most basic, website scripting lang or it's not even a scripting language, but, all it takes is to forget a backslash or forget a closing bracket, and you can destroy it in your web page. Have you guys ever done that?

Have you had that experience? And then good luck finding it. So this is kind of the situation where I found myself in. And they came to me and I'm like, hey. Can you can you look through this and see if, you can help me find out where I messed it up?

What the hell are you doing? And there are few things

more enjoyable than looking through somebody else's code. I

mean,

if you really want if you really wanna spend an afternoon of joy

I mean, we got through it. We figured it out. And then I said, don't you ever ever touch another client's website again. We are not web developers. Yeah.

But it it's just another example of where, somebody some well meaning, whether it's somebody you hire on fiber.com or, you know, maybe it's even a professional. If you you can screw up the code when you're trying to update it because that's what we're talking about. You have to keep it up to date. You wanna make changes to it. It's really nice to have a backup, when somebody deletes that angle right angle bracket and they don't know where it went.

I mean, actually, you know what? Nowadays, best thing to do is to throw throw it into chat gbt and have it write the code for you.

Okay. I mean, maybe, but that wasn't around when this happened to me. So, it's like information that you would have been useful yesterday. I don't know. That's, trying to quote Adam Sandler.

I'm quoting like that. Like, when I misquote it. Yeah. See, we do have better tools today. Brian, any other thoughts on on website or anybody else have thoughts on website?

I would just say it's dirt cheap, do it. I just again, if your web host doesn't have a built in functionality to how to do a a backup, find a new web host. It's it's cheap, and it should be automatic, unless you're running something complex with web servers.

Okay. Yep. Alright. So website's out of the way. Guys, where else does data live that because I think it's it's easy enough to just say if you have a server and you have data on it, back that up.

That's kind of a something we don't really need to dig into. If you don't know that, and your IT company isn't doing that for you, I I don't know that we can help you. So let's talk about No.

No. My my company can help you absolutely call

me. Well, I I I am saying that, like, if you have that many blind spots, you probably have bigger problems. Alright. I'm gonna stop there because I could say some stuff that would really scare you can you can end your business by blind spots. Like, you it it can be game over.

And and there are certain things that I don't wanna touch. And if I came into a company that had a server and an IT company that wasn't backing it up or they're trying to do it in house and I didn't know how to do it or they're doing it wrong, that's just scary because this is this is basic basic. We've been doing this since, like, 1980.

Speaking of that, I have I have twice now, recently, well, within the last 2 weeks, went and met with potential clients who had network attached storage units, both of which not being backed up. One of them, we onboarded. And as we're onboarding them, the unit failed. And thankfully, we had just taken a backup of it. Yeah.

So network attached storage, if you have it, it still needs to be backed up.

And and monitored and tested and, you know, tabletop exercises. We'll come back to that. But, And

oh, and and having 2 drives in the network attached storage that are mirrored is not a backup. That is just redundancy. So just Yep. For clarification.

Yeah. Still like,

that will not protect you. Yeah. Exactly. That will not protect you against hackers or any of that stuff.

Yeah. I've been I've been in IT since 1997, and I I think it's, like, twice in my entire career that a mirror drive was helpful. Yeah. That and we all still do it. But, yeah, that's that's it solves one problem, and there are a million more that we need to talk about.

So

Yeah.

Yeah. Okay. So there we go. We're gonna call that. We've we've talked about servers now.

They are important. Those backups are important. They need to be on your plan. What else where are some blind spots people might come across? And, Brenda, you you kinda this is where I cut cut things down because you were you were going off on stuff that, like, wait.

We need to record that.

Yeah. I think as a business leader, you need to zoom out and make what ask yourself, what data do you have and where is it? Right? What is your most sensitive data that if it was either breached through cybersecurity or it needs to be protected from a availability perspective because your dime downtime is gonna cost you money. Right?

And so you can label it with sensitivity labels. Right? Like, is this some confidential, owner's eyes only type of thing, or is this are you, a publicly traded company that has obligations, for data protection? Do you have SIN numbers for your employees at the very least that need to be protected? So we have to think about what is the sensitivity around various types of data, and then where does it live?

Because you're gonna have it live in 10, 15 different places if you start really adding it up. And if you don't have policies for your staff on where it should live, what's the right point, because people will save it to any bloody place they want. That's gonna be convenient. You hit the download button. Where does that go?

Who knows? Or last place it might've stored something. Right? And, and so we have to have policies and and training, around. Those are like when I get into new prospect conversations, the first thing I ask is, what is your most important data?

Because me coming in as an IT service provider, I need to understand my risk. And if I'm thinking about my risk as an IT service provider, they better be thinking about their risk as a as the owner of that data. And it's my job to think about it on their behalf, and that's really why I'm asking. But and I need to have those conversations. And it's, you know, you talked about having good IT.

You should be thinking about these questions and having these questions, answered for yourself already. But the sad state of our industry is that the vast majority of IT service providers don't ask those questions and and they just sign off on the contract, do day to day break quick work, and they just never have these real productive conversations around the business and and and data.

Right. Okay. Mario, I think Yeah.

Go ahead. I was gonna say, though, each of those topics you could dive into in detail now.

Absolutely. Yeah. Mario, I I it looked like you had some thoughts earlier, and I kinda cut you off.

No. No. Yeah. I mean, essentially, you know, like Brenda said, it is very, you know, wide and there are you we can have our own podcast just on each one of those topics. But essentially, it's it it the way you gotta look at it is, like, if you walk in tomorrow and you don't have access to that platform or to that file or to whatever, are you gonna be able to operate?

Are you gonna be able to, you know, recoup? You know, like, if you're an accountant and, you know, right right now, they're they're going through tax season, the second part of tax season for anybody that did extensions. And if you don't have access to your QuickBooks or Peachtree, you know, your Sage or whatever, can you continue? Can you pivot and just continue working? For them, the answer is no.

So that is, like, the most important thing that you need to not only make sure you're backing up, but you're backing up, like, you know, to 2, 3 different spots. Because if one fails and sometimes they fail, you wanna make sure, that you can still get it and continue operating and not have to close them.

Well, that's Casey. You bring that up, and I'm gonna kinda go out of turn here. It it is also important to have a plan for those worst case scenarios. Even if the plan is, okay. If it gets to this point, then we'll close our offices, and here's how we're going to notify our clients.

Like, I don't mean permanently closed. God forbid we're talking about that. But, you know, if if, if you're if you're really down and you can't come up with a manual way to do your work, then, really, you should have, something in place for how you're gonna handle that.

Well, last year last there's 2 two comments on that, Justin. Number 1, when it comes to your downtime strategy, you absolutely have to come up with it. Last year, we were at, the Omni Hotel when they did have that cybersecurity outage, and they did actually have a plan. It was, uncomfortable one for guests, but they absolutely did have a plan to get us into the rooms. They had to manage floor manually and have somebody walk us through each room and let us in, but they absolutely had a plan.

And number 2, I've already forgotten. So we'll go

back to it. Well, this is stuff we we do talk about, on a pretty regular basis here, but it's Yeah. It is often overlooked. It's another one of those blind spots where, a data recovery plan usually is how do we restore data and how long is that gonna take. But the secondary component of it is what are we doing to conduct business or not conduct business

In the meantime

if if and when this happens. So, yeah. Yeah. Alright. What else, guys?

We're talking we're sitting in front of a business owner who, has never had this conversation about protecting his data. Where are the blind spot? What do we need to help them see and understand?

What can you get sued over? That's number one question every business the owner should think about. Like, if you leak leak this data, some malicious person sends you a a message saying, hey. I have your data, and it's a it's a WhatsApp message. And if you're a lawyer, that's a big deal.

Health care provider, that's a big deal. Those are, you know, either gonna take down your business or they might have additional regulations like the health care industry you don't wanna breach. And so, SIN numbers, like we mentioned earlier, if you're in the US and you're a a Department of Defense contractor, there's requirements, and there's other industries various compliance requirements. So, like, those those are some of the first questions you should ask yourself. Like, what are you gonna get sued over, fined over, or or, or have enough brand damage that you don't recover?

Oh, and that was gonna be my second point. I remember now a significant percentage of people who have critical failure of their data don't recover and they shut the doors.

Yeah. Yeah. Even those that do end up

recovering you're you know, they don't they often don't survive the year.

The damage can be too deep. Yeah. Yep. So that is what we are trying to prevent. That's, honestly, that's why we're here is to make sure that kind of stuff never happens.

So one of the things that I've said before, so I'll I'll just review it because it's on topic, is the way I try to, coach a client through this process is I break down their I mean, you can almost look at an org chart. Right? You've got you've got the top, and then every business is going to have a a way to bring in new clients, call it biz dev, call it sales and marketing. And then you're gonna have an operations, and then you're going to have, finance or admin or, you know, kind of a a grouping of, ancillary services. So what I like to do is just sit down and go through each one of these.

Alright? Let's talk about how you bring clients in. What software do you use? What data is stored in that software, and where is that data stored? Alright?

And then we can make a plan for how we're gonna protect it and how we're gonna test it. And then we go to operations. What are you using in operations? What are the systems that you use here? And then because if you just go and say, hey.

Where's your data? It's on the server or, you know, it's on SharePoint. Okay. And then we'll back up the server. We'll back up SharePoint and then, you know, get completely blindsided by some of this other stuff.

So I I just build a simple spreadsheet and say, alright. These are the job functions. This is the software you use. This is the data. Here's where it lives.

And and, Brendon, I like what you're talking about. Assign a level of, importance to it or or,

sensitivity.

Sensitivity. Here we go. So so let's just say we've done that. Right? We've got our spreadsheet.

We know where everything lives. We have a plan. The plan has been, handed off because very few business owners are doing this themselves. Now what? Is that good enough?

Do we trust it? Are we comfortable? Are we sleeping well at night? What's the next step once we have identified all this?

Test it.

Couple of things. Well, before even testing it is, I would I would say, have an analysis done to see if anybody's storing things that were in places they're not supposed to. We we

like to call

that shadow IT, you know, world employees doing their own thing. And in often cases, it's an entire department. Right? An entire department, a manager somewhere in your organization decided, you know what? I don't like I don't like using OneDrive, so we're gonna use Dropbox and and, you know, in marketing.

And all of a sudden, you've got all this data located in a place that, as an organization, you don't actually have control over because this rogue manager or rogue employee opened up the account with their personal account and, and their personal credit card, and are using effectively their own tools to store your data. So identifying that would be a key to ensure that the data is where you think it is. But yeah, what Mario said in the end is a backup is only as good as the last time you've tested it. So if you're not testing your backup and restoring on a regular basis, you effectively have no backup.

Yeah. Now, you know what? I I'm gonna actually ask a question to you guys because what I see a lot is a company will say, we use a third party company. It's web posted. It's web based, and we're good on that.

Let's not let's not even we don't even need to talk about that. You know? So how do you

I use OneDrive. They're responsible for backups.

No. But like a specialty programs. You know? Like, for us, it would be like a CRM or, like, or an RMM. You know?

We're relying on, you know, these companies, and they have their stuff. But I know I know, like, my RMM tool, like, if we delete a computer, we can't get it back. You know? What you know? But we have cuss you know, customers will use a special you know, some some other type of program, either CRM or, you know, like, you know, like, AutoCAD, like, you know, there's some online stuff, you know, whatever.

How do you rely on those guys? You know, obviously, if they're not you know, they may back up the platform, but they're not backing up your data And you can't back it up. You can't go in we can't go in there and back up our PSA or RMM tools.

There are definitely cases of, you know, stuff that we just simply cannot back up electronically. I've got 2 thoughts there. You probably need some sort of a a plan to work with paper, which we don't talk about much these days here in 2024. But you might wanna have that included in there. The second thought is where where things can be deleted that are irrecoverable, I do believe that comes down to access control.

We don't want frontline employees with the power to do that kind of thing. So in your RMM, if you're you're saying, you you know, that's a great example. You delete a computer. You can't get it back. Then most of the people in the company should not have the ability to delete a computer.

I I that's a

It was one of our conversation just recently or a different conversation I was happen having with other IT folks. But there was a scenario where 2,000 endpoints, a rogue employee just delete because they were upset about something and then, handed in a resignation. And so, obviously, it's, you know, now, you know, it could be a legal situation for that employee, but doesn't help the employer or that that business who now all of a sudden has to recover, from that scenario. But no, it's a great question, Mario. I think one of the key pieces is that has a lot of confusion around it, is that when you have Microsoft 365 or Google, people think that the backup is included.

And that is absolutely not true. Microsoft and Google will both tell you that what they have is, resiliency and fault tolerance. They do not provide a backup. Every customer should have their own backup. If you hit delete, after 60 or 90 day days, it is irrecoverable.

And so many times, we've had to recover data for clients where you have to go to your 3rd party backup or recover it for them. Right? And Yeah. Same with your emails. And you also have requirements, whether it's, IRS or CRA requirements for tax purposes to hold it for a certain record certain certain period of time, 7 years of record keeping, potential legal situations.

If you wanna hold that data for some, some period of time where you don't want it to be accidentally deleted, because before employees get fired, they know they're gonna get fired, alright, or they're gonna quit. They start cleaning up their mailbox, and they start hitting delete just carte blanche, then there goes all your company records.

Right.

Yeah. Yeah.

Alright, guys. Thoughts on recovery procedure. A product called tabletop exercise. Are you guys what what term do you use for simulating disaster and simulating recovery from them?

Yeah. Tabletop exercises.

Okay. Mhmm.

Yeah. Yeah.

So let's let's run through what that process might look like. We've again, we've identified everything. We have the backups in place. We we are verifying that they're running. How do we how do we do a tabletop exercise?

For for I recommend our current clients, their prospects, everybody that I've come across, I always say, listen, if you want to verify that somebody is actually backing up your stuff, create a file somewhere, anywhere, wherever you store it, OneDrive, Google Drive, whether it be, on your server or workstation. If it's supposed to be backed up, create a file and the next day delete it and then, contact your provider, whoever that is, and say I deleted a file. Here it was in this folder. Can you recover it for me, please? And if they can't, we've got a problem.

So you could you can do that type of exercise on a fairly regular basis. The client has control over to do that. The provider wouldn't even know that you're testing them, right? They wouldn't even know and I encourage my customers to do it and my prospects to do it because it just keeps our people on their toes, making sure that they're they're keeping an eye on things. Yeah.

That's

Okay.

One way.

Anybody else?

I I like to break it up into 2 categories of of, of, planning. 1 is your typical disaster recovery planning around data, like backup and disaster recovery. That's a subset. That's a known commodity. Typically, whoever is providing your backup solution will think of your disaster recovery scenario.

If your servers died or what typically, right, or what whatever happened, here's how we're gonna recover. Here's how long it'll take depending on how much data you have in the cloud, whether you have on premise storage. It's a segmented. It can be complex in some cases, but that's a disaster recovery planning around data itself. But then there's tabletop exercises around cybersecurity incidents that could occur.

And that does impact your data, but it's about planning for the cybersecurity incident itself, which, theoretically, if you're locked out of your computers, how are you gonna get back in? Like, if you have 1 or 2 primary accounts, let's say Microsoft admin account was locked locked and you have SSO, all your various applications to Microsoft 365. Now, what is your backdoor into those scenarios? And so you have to think of and it's a creative exercise, with your IT team and your cybersecurity professionals of running through those various scenarios and say, if this happened, what is our response plan? Could we recover?

And even when we did this internally with, my team, we uncovered a scenario. We're like, hey, you know what? That's a very good scenario. If that had occurred to us, we wouldn't have been able to get back in, and so we have to have some access. Because we locked down our fort so tight, if something was to occur, we can't get back in.

And in this one specific scenario, and, and, we're like, okay. Okay. So that's why password managers and things like that, you wanna be thoughtful about how deeply you secure them so that you can if worst case scenario occurred, could you get back into your password manager and start resetting some accounts? Do you have phone numbers documented for those right vendors and things like that? But this it's all sorts of scenario planning.

It'll there's a whole day of air at the very miss, at the very least depending on the size of company.

Right. And I I would say that the probably the most important component of this is that it's done on a regular basis. There's there's a million ways to skin the cat, but every at least once a year, but preferably once a quarter, this is being reviewed. You've you've identified your data. You have created the plan.

You've tested the plan. But, yeah, pull that the that piece of paper back out and make sure that you're still using those same applications and make sure that that data still lives where it it used to. You know, at at least review them and make sure that that your plan because, you know, it used to be a lot easier. I I I say that a lot. I live in the past.

You could just walk in and turn the server off and say, okay, guys. Disaster has been terrible. Now what? Get it back up and running. And how long is it gonna take you?

That's harder to do these days. You can do things like QuickBooks online is a great example because you can just do a simple export and, you know, you can create a trial account or or even pay for account if you have to and then import your data and see see how well that works and see what needs to be changed. So, you know, depending on the the software, depending on the process, you can do some level of testing, but sometimes you can't. So at least review it.

And, you know, before you even get to the testing phase, you also wanna make sure you you're getting reports. You know, like, you wanna at least at at a minimum, get a daily or weekly report, say, okay, it backed up. We know it's backing up. Let's not wait until yearly or quarterly time to test it. You still wanna test it.

But before you get to the test, it may be 2 months down the line, you realize, oh, actually, shit. It hasn't backed up. You know, how how come we haven't noticed this? You know, you at minimum, you wanna have reports that will be emailed to you. And, you know, in the subject that will say, you know, backup successful or whatever, backup failed.

And then if it fails, you you investigate. But you wanna have an ongoing some sort of alert if there is a problem that you you address it. You don't wanna wait until you have to test it. And if you're working with an IT company, you wanna also make sure that they're sending you, you know, at least a weekly report of your your backup, like a backup report, you know, to see if it was working or not.

Brenda or or, Brian, any thoughts on that?

I concur, and I'm good.

I think most organizations don't do true Doctor planning, disaster recovery planning around their backups. And if you were to ask your service providers, especially if your company that isn't just called solely cloud based, if you've got some servers, if you ask them to do, hey. We'd we'd like to run a fire drill. Imagine our, server room burned down. How long will it take to recover?

Can we run that fire drill? Good luck. Good luck if you haven't done that before. It it that that that IT team won't be struggling.

No. Absolutely. Yeah. Yeah. So we've talked about a lot of stuff here.

One of my thoughts, though, is, like, there's there's no end. And, Brian, you always talk about it as a journey, 1% better. And so I'm I'm gonna bring that back to maturity levels. And when we get to, like, when we're talking about true tabletop exercises and and really what you just said, Brendon, those are complex. They're they're difficult.

They're expensive, and they're probably a maturity level 4 if we're if we're gonna put it on the scale of 1 to 4. So we're not gonna get there today. But if if I'm a business owner and I'm listening to this, you know, the the real takeaway, the level 1, the the stuff that we start with is you gotta know where your data lives. You gotta know how it's being used, and and just have a plan of how it's being protected that you can verify on some level. Right?

Whether that's reports or it's a a dashboard that you log into or something, it has to be verifiable on some level. So, that's kind of the simple formula to it. But then there's

I've got I've got I've got one more item to add to number 1 that is so obvious that we skip past, but it's sometimes still undone, is permissions. Who should have access in your company to that data? We just took on a client, and they're like, one of their constant frustrations with their IT partner was that every time they onboard a new user, they somehow managed to give the most sensitive owner's financials, that folder What? Permissions because they were SharePoint, and they didn't know how to use SharePoint, this IT provider. Oh, woah.

They're they're just it was botched. This the one folder they absolutely shouldn't have access to got onboarded for every new user they would add. It's like, how do you guys continue to do this? And but it comes down to, like, when you were using technology, you have to set up the right structures around security policies and groups, and then and have a system to maintain that. And and that's where the least privilege principle applies.

Everybody should have the least amount of privileges in their data and in their operations to do the work they need to do. And it is so obvious to us as IT providers, but the how you do it matters so much.

Yeah. I mean, it it kinda comes back to we we say this in general when we're talking about cybersecurity that it's way easier to prevent an attack than it is to recover from 1. And as we sit here talking about data backup, I I think you're right. We could have started with, let's let's talk about how we never have to get in the situation where we're using a data backup or a restore process. We use a backup.

We don't wanna have to ever have to restore. So, yeah, the privileged access, client clicks on it with, you know, not being able to delete certain stuff, but right. You couldn't even be able to access that stuff. Not just for, confidentiality, but also for the security attack. Right?

If Yeah. If a bad guy breaches me and I'm a, you know, whatever, level 1 technician, I couldn't they couldn't be able to then get to, the top of the tree of our data. So

Right.

Alright. So, guys, I think we're gonna move towards wrapping this up. We, this is our second in the series of the formula. How do we, how do we protect ourselves a 100% from from the devastation of cybercrime? Well, maybe we can't protect a 100% from an incident.

We could a 100% be able to be prepared, avoid them at all cost, and, god forbid, something happens, have a plan in place to take care of it. So last week, we talked about protecting our technology. Today, we talked about protecting our data. Next week is gonna be an interesting one because we're gonna talk about how to protect our people. And because we're doing a special episode for week 4, we're going to roll a bunch of stuff in the next week, which is gonna include policies and procedures.

And and we are gonna find a way to make this so fun and so entertaining that you will not wanna miss the episode. Okay. But I think I think people went to sleep just when I said policies and procedures. So Yeah. We we will find a way to make that interesting and usable.

So, guys, we're gonna go ahead and and wrap this up. We'll do final thoughts, key takeaways. And, Birender, I'm picking you to go first, and then Mario, and then Brian, and then we're gonna wrap.

I I would just say that, there's urgent and important tasks. If we think I'll take a look at our greatest things we do in a business, while cybersecurity doesn't show up as urgent, this could take down your business, and it is important. And so do it. Put time on the calendar. Put a couple hours to investigate.

Ask the right questions.

K. Mario?

Just like other topics we've talked about, it it really starts with the users. You gotta educate the users, let them know where, they should be saving stuff, how they should be saving it, how they should be labeling it, you know, for for future use and stuff like that. But if if the users are doing what they're supposed to do and they're trained the right way, then it makes everything after that much easier. You know, it's a lot harder to try to recover something. You know, we we see all the time of users like, oh, well, I I don't remember where I saved it or, you know, I don't really remember the name.

You know, I named it something weird or saved, but, you know, something weird. If you if the users are educated, you know, correctly with everything when it comes to IT, it makes all the steps after it much easier.

Alright. Brian.

Okay. Well, as I say many, many times, cybersecurity data backups, all of this stuff is complex and it's something that a lot of business owners feel overwhelmed getting into even to begin with. And so what I always say to my clients, my prospects and even on almost all the podcasts is treat it as a journey. If you get started today, nobody's expecting everybody to get everything right 100% on the first go around. But if you treat it as a journey and you add a little bit every single time that you meet with your team and you you you'll get better and better 1% every day, then by the end of the year, you'll have accomplished more than most business owners have ever accomplished when it comes to this stuff.

So just get started, pick 1 or 2 things, implement them, pick another 1 or 2 things, implement them, and, rinse, wash, repeat.

I like that. You know what? And, Nick, talk all about compliance, kind of the way the way we're leading this now. This could be checked off. We could have the industry standard.

Right? That's kinda what we're talking about for all 3 of these episodes. Review it. If if you're not talking about this with your IT company, it's not happening. I can promise you that.

So complacency is what will kill us. We have to know where our data lives, how it's being protected, and how it'd be restored if it was lost, and that needs to be reviewed on a regular basis. And ideally, you're having meetings with your IT company or your internal IT staff or, say, quarterly, and this could be brought up and reviewed and refined because it will change. It's a moving target. You you just have to go on over this and over this.

It's too important to be complacent. So, alright. I think that's, that's a wrap, guys. Thanks for being here. We are gonna really get fun next week with policies and procedures, get a little bit legal.

Maybe we'll talk about lawyers and lawsuits and, court mandated, you know, when you don't have money now all of a sudden you do because the court said you do. That's where you don't wanna that's where you don't wanna end up. So, alright. That's all I've got, guys. Thanks for being here again, and, we'll chat next week.

Take care.

Take care. Cheers. Bye, guys. Thanks.